Port forwarding

From Wikipedia, the free encyclopedia

It is common to configure port forwarding on routers over a web interface. Here, the user is configuring port forwarding for a Conexant router. 10.0.0.3 and 10.0.0.5 are the private IPs on the LAN.

Port forwarding, sometimes referred to as port mapping,^[1] is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router.^[2]

[edit] Purposes

Port forwarding allows remote computers (e.g. public machines on the Internet) to connect to a specific computer within a private LAN.^[3]

For example:

forwarding port 80 to run an HTTP webserver within private LAN from internet
forwarding port 22 to allow Secure Shell access within private LAN from internet
forwarding port 21 to allow FTP access within private LAN from internet

Modern Linux machines achieve this by adding iptables rules to the nat table: with target DNAT to the PREROUTING chain, and/or with target SNAT in the POSTROUTING chain.

BSD and Mac OS X machines use a similar tool named ipfw. The ipfw tool is likely already running as a built-in part of the operating system's kernel.

Some common caveats with port forwarding include:

The need to forward the packets that come to the router's forwarded port as well as the need to rewrite them so that the machine to which the port is forwarded can reply to the original source address, which in turn leads to the inability of the destination (private) machine to see the actual originator of the forwarded packets, and instead see them as if originating from the router
Only one networked machine can use a specific forwarded port at one time
Traditional port forwarding allows the entire world access to the forwarded port, slightly reducing network security

Port forwarding can also be used within a single machine. Port forwarding is necessary for a standalone computer if any of the following conditions are true:

The computer is using a shared IP address.
Internet Connection Sharing is enabled.
A router is being used with NAT enabled.

In a typical home networking setup, internet access is through a DSL or Cable modem. That modem may be connected to a router, which is then connected to the networked computers by Ethernet or WiFi. The router is the device that the Internet sees; it holds the public IP address. The computers behind the router, on the other hand, are invisible to the Internet as they hold a local IP address each. Port forwarding is necessary in the router because computers will send information directed to the public IP address and the router needs to know where to send that information.^[4]

Port forwarding is commonly done on Unix computers where port numbers numbered below 1024 can only be accessed by software running as the root user. Running as root can be a security risk, so some people use port forwarding to redirect incoming traffic from a low numbered port to software listening on a higher port. For example, a web server may be listening on a port such as 8080 for traffic redirected from the restricted port 80. A port may be forwarded for use by either the TCP protocol, the UDP protocol, or both.

[edit] Reverse port forwarding

Reverse port forwarding, or reverse port tunnelling, is done by two components, usually software-based, where one component acts as a session-server - listening on a session-port, while the other component acts as a session-client to the session-server component - connecting to the session-server. After a session is established, the session-server will often listen on (accept connections on) a port that is to be forwarded, and when a connection is made to this port, the connection traffic will be forwarded to the session-client (through the session-connection that was previously initiated by the session-client), usually with a destination of the session-client machine or another machine accessible from the session-client. A common situation where this type of forwarding is used is where a port needs to be accessed that is on a machine located behind a gateway/router or firewall that is not configurable by those wanting to access that port. This functionality is built-in to some implementations of SSH (Secure Shell), and there are also software systems available that are designed more specifically for this type of forwarding.

[edit] See also

[edit] References

^ "Definition of: port forwarding". PC Magazine. http://www.pcmag.com/encyclopedia_term/0,2542,t=port+forwarding&i=49509,00.asp. Retrieved on 2008-10-11.
^ Rory Krause. "Using ssh Port Forwarding to Print at Remote Locations". Linux Journal. http://www.linuxjournal.com/article/5462. Retrieved on 2008-10-11.
^ Jeff "Crash" Goldin. "How to set up a home web server". Red Hat. http://www.redhat.com/magazine/022aug06/features/webserver/. Retrieved on 2008-10-11.
^ Alan Stafford. "Warp Speed Web Access: Sharing the Bandwidth". PC World. http://pcworld.about.com/magazine/1901p102id35287.htm. Retrieved on 2008-10-11.

[edit] External links

[0] "Definition of: port forwarding". PC Magazine. http://www.pcmag.com/encyclopedia_term/0,2542,t=port+forwarding&i=49509,00.asp. Retrieved on 2008-10-11.

[1] Rory Krause. "Using ssh Port Forwarding to Print at Remote Locations". Linux Journal. http://www.linuxjournal.com/article/5462. Retrieved on 2008-10-11.

[2] Jeff "Crash" Goldin. "How to set up a home web server". Red Hat. http://www.redhat.com/magazine/022aug06/features/webserver/. Retrieved on 2008-10-11.

[3] Alan Stafford. "Warp Speed Web Access: Sharing the Bandwidth". PC World. http://pcworld.about.com/magazine/1901p102id35287.htm. Retrieved on 2008-10-11.

[1]

[2]

[3]

[4]

Port forwarding

From Wikipedia, the free encyclopedia

Contents

[edit] Purposes

[edit] Reverse port forwarding

[edit] See also

[edit] References

[edit] External links

Views

Personal tools

Navigation

Search

Interaction

Toolbox

Languages